Bug 1540757 - Mark SVG scripts as malformed when popped by HTML breakout from foreign content. r=alchen
authorHenri Sivonen <hsivonen@hsivonen.fi>
Fri, 05 Apr 2019 10:49:25 +0300
changeset 469597 48f7c91bbdbf
parent 469596 4aeaae90b1a1
child 469598 aad2748fe8f9
push id35875
push userccoroiu@mozilla.com
push dateTue, 16 Apr 2019 04:06:16 +0000
treeherdermozilla-central@a83cab75b00d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersalchen
bugs1540757
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1540757 - Mark SVG scripts as malformed when popped by HTML breakout from foreign content. r=alchen Differential Revision: https://phabricator.services.mozilla.com/D26276
parser/html/javasrc/TreeBuilder.java
parser/html/nsHtml5TreeBuilder.cpp
testing/web-platform/tests/html/syntax/parsing/unclosed-svg-script.html
--- a/parser/html/javasrc/TreeBuilder.java
+++ b/parser/html/javasrc/TreeBuilder.java
@@ -1723,17 +1723,17 @@ public abstract class TreeBuilder<T> imp
                         case TABLE:
                         case FONT:
                             // re-check FONT to deal with the special case
                             if (!(group == FONT && !(attributes.contains(AttributeName.COLOR)
                                     || attributes.contains(AttributeName.FACE) || attributes.contains(AttributeName.SIZE)))) {
                                 errHtmlStartTagInForeignContext(name);
                                 if (!fragment) {
                                     while (!isSpecialParentInForeign(stack[currentPtr])) {
-                                        pop();
+                                        popForeign(-1, -1);
                                     }
                                     continue starttagloop;
                                 } // else fall thru
                             }
                             // CPPONLY: MOZ_FALLTHROUGH;
                         default:
                             if ("http://www.w3.org/2000/svg" == currNs) {
                                 attributes.adjustForSvg();
--- a/parser/html/nsHtml5TreeBuilder.cpp
+++ b/parser/html/nsHtml5TreeBuilder.cpp
@@ -728,17 +728,17 @@ starttagloop:
           case FONT: {
             if (!(group == FONT &&
                   !(attributes->contains(nsHtml5AttributeName::ATTR_COLOR) ||
                     attributes->contains(nsHtml5AttributeName::ATTR_FACE) ||
                     attributes->contains(nsHtml5AttributeName::ATTR_SIZE)))) {
               errHtmlStartTagInForeignContext(name);
               if (!fragment) {
                 while (!isSpecialParentInForeign(stack[currentPtr])) {
-                  pop();
+                  popForeign(-1, -1);
                 }
                 NS_HTML5_CONTINUE(starttagloop);
               }
             }
             MOZ_FALLTHROUGH;
           }
           default: {
             if (kNameSpaceID_SVG == currNs) {
--- a/testing/web-platform/tests/html/syntax/parsing/unclosed-svg-script.html
+++ b/testing/web-platform/tests/html/syntax/parsing/unclosed-svg-script.html
@@ -2,29 +2,37 @@
 <meta charset=utf-8>
 <title></title>
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script>
     var scriptWithEndTagRan = false;
     var scriptWithoutEndTagRan = false;
     var scriptWithBogusEndTagInsideRan = false;
+    var scriptWithBreakout = false;
 </script>
 <svg>
     <script>scriptWithEndTagRan = true;</script>
 </svg>
 <svg>
     <script>scriptWithoutEndTagRan = true;
 </svg>
 <svg>
     <script>scriptWithBogusEndTagInsideRan = true;</g></script>
 </svg>
+<svg>
+    <script>scriptWithBreakout = true;<s></script>
+</svg>
+</s>
 <script>
     test(function() {
         assert_true(scriptWithEndTagRan);
     }, "SVG scripts with end tag should run");
     test(function() {
         assert_false(scriptWithoutEndTagRan);
     }, "SVG scripts without end tag should not run");
     test(function() {
         assert_true(scriptWithBogusEndTagInsideRan);
     }, "SVG scripts with bogus end tag inside should run");
+    test(function() {
+        assert_false(scriptWithBreakout);
+    }, "SVG scripts ended by HTML breakout should not run");
 </script>